On May 16, 2009, at 10:32 AM, Johan Mazel wrote:
I suppose that the values for linktype are the ones I'm talking in
my first
mail : 01 for Ethernet, 06 for Token Ring, 07 for ARCnet, etc... ???
Libpcap has two sets of link-layer type values - the DLT_ values,
which are what are returned by current libpcap APIs, and the LINKTYPE_
values, which are what appear in the header at the beginning of a
capture file. The LINKTYPE_ value is a 4-byte value starting at an
offset of 20 from the beginning of the file.
Almost all of the values are the same in both sets, but a few are
different because a few DLT_ definitions - DLT_RAW is one of them -
have different values in different BSDs, so a separate LINKTYPE_ value
is used for those, so that, for example, a "raw IP" capture has a
LINKTYPE_ value of 101 in the capture file header, no matter what OS
the capture was done on, even though on OpenBSD the DLT_ value you'll
get from pcap_datalink() will be 14 and on other OSes it'll be 12.
DLT_RAW is defined as 14 on OpenBSD and 12 on other OSes, so comparing
the return value from pcap_datalink() against DLT_RAW will work on all
OSes.
Ethernet is DLT_EN10MB, which happens to have the value 1. Token ring
is DLT_IEEE802, which happens to have the value 6; ARCNET, with a BSD-
style header, is DLT_ARCNET, which happens to have the value 7, etc..
(There's also DLT_ARCNET_LINUX, which is for ARCNET with a Linux-style
header; to quote the comment in bpf.h:
/*
* BSD's ARCNET headers have the source host, destination host,
* and type at the beginning of the packet; that's what's handed
* up to userland via BPF.
*
* Linux's ARCNET headers, however, have a 2-byte offset field
* between the host IDs and the type; that's what's handed up
* to userland via PF_PACKET sockets.
*
* We therefore have to have separate DLT_ values for them.
*/
so DLT_ values and LINKTYPE_ values don't just correspond just to
physical (or virtual) network types, they correspond to the format of
the link-layer headers - and pseudo-headers, such as the radio
information headers for 802.11 - at the beginning of the packet.)
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.